No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Principles

Principles

This section describes the implementation of SNMP.

SNMP Management Model

The SNMP system is composed of the NMS, agent, management object, and MIB.

The NMS is the network management center of the network and manages devices on the network.

Each managed device has the agent process, MIB, and multiple managed objects. The NMS interacts with the agent on the managed device. The agent performs operations on the MIB to perform the NMS request.

Figure 14-1 shows an SNMP management model.

Figure 14-1 SNMP management model

Elements in the network management system are as follows:

  • NMS

    A manager on the network, or a system using SNMP to manage and monitor network devices. The NMS runs on NMS servers.

    • An NMS can send requests to an agent on a device to query or modify the value of one or multiple parameters.
    • An NMS can receive traps sent from the agent on a device to learn the current status of the device.
  • Agent

    Agent is a process on the managed device. The agent maintains data on the managed device, receives and processes the request packets from the NMS, and then sends the response packets to the NMS.

    • Upon receiving requests of the NMS, the agent performs the required operation over the MIB and sends the operation result to the NMS.
    • When a fault or an event occurs on the device, the agent running on the device sends notifications to the NMS, reporting the current status of the device.
  • Management object

    Object to be managed. A device may have multiple management objects, including a hardware component (such as an interface board) and parameters (such as a route selection protocol) configured for the hardware or software.

  • MIB

    MIB is a database specifying variables that are maintained by the managed device and can be queried or set by the agent. MIB defines attributes of the managed device, including the name, status, access rights, and data type of objects.

    An agent can use the MIB to:

    • Learn the current status of the device.
    • Set the status parameter of the device.

    The SNMP MIB adopts a tree structure like the Domain Name System (DNS) with its root on the top without a name. Figure 14-2 shows a part of the MIB, called object naming tree. Each object identifier (OID) maps a managed object, for example, the system OID is 1.3.6.1.2.1.1, and the interface OID is 1.3.6.1.2.1.2.

    The OID tree facilitates information management and improves management efficiency. With the OID tree, the network administrator can query information in batches.

    When configuring the agent, the user can configure the MIB object access control for the NMS based on the MIB view. A MIB view is a subset of a MIB.

    Figure 14-2 OID tree

SNMPv1/SNMPv2c

SNMPv1/SNMPv2c Packet Format

As shown in Figure 14-3, an SNMPv1/SNMPv2c packet is composed of the version, community name, and SNMP Protocol Date Unit (PDU) fields.

Figure 14-3 SNMPv1/SNMPv2c packet format

The fields in an SNMPv1/SNMPv2c packet are defined as follows:

  • Version: SNMP version. The SNMPv1 packet field is 0, and the SNMPv2c packet field is 1.

  • Community name: used for authenticating operations between the agent and NMS. The community name is a string of characters and can be defined by users. The community name can be a read-only or write-only community name. To authenticate the GetRequest or GetNextRequest operations, use the read-only community name; to authenticate the Set operation, use the write-only community name.

  • SNMPv1/SNMPv2c PDU: includes the PDU type, request ID, and binding variable list. The SNMPv1 PDU includes GetRequest PDU, GetNextRequest PDU, SetRequest PDU, Response PDU, and Trap PDU. The SNMPv2c PDU inherits the SNMPv1 PDU and introduces the GetBulkRequest PDU and InformRequest PDU.

    For simplification, the SNMP operations are described as the Get, GetNext, Set, Response, Trap, GetBulk, and Inform operations.

SNMPv1/SNMPv2c Operations

As shown in Table 14-1, SNMPv1/SNMPv2c defines seven types of operations for exchanging information between the NMS and the agent.

Table 14-1 SNMPv1/SNMPv2c Operations

Operation

Description

Get

The management process reads one or several parameter values from the MIB of the agent process.

GetNext

The management process reads the next parameter value from the MIB of the agent process.

Set

The management process sets the parameter value of one or more MIBs of the agent process.

Response

The agent process returns one or more queried values. The agent performs this operation that corresponds to the GetRequest, GetNextRequest, SetRequest, and GetBulkRequest operations. Upon receiving a Get or Set request, the agent performs the Query or Modify operation using MIB tables and then sends the responses to the NMS.

Trap

The agent process notifies the NMS of a fault or event on the managed device.

GetBulk

The NMS queries managed devices in batches.

Inform

The managed device notifies the NMS of an alarm on a managed device. After the managed device sends an inform, the NMS must send an InformResponse packet to the managed device.

NOTE:

SNMPv1 does not support the GetBulk and Inform operation.

Working Mechanisms of SNMPv1/SNMPv2c

The working mechanisms of SNMPv1 and SNMPv2c are similar, as shown in Figure 14-4.

Figure 14-4 Basic operations
  • Get

    The following assumes that the NMS wants to use the read-only community name public to obtain the value of the object sysContact on the managed devices. The procedure is as follows:
    1. NMS: sends a GetRequest packet to the agent. The fields of the packet are set as follows: The version is the SNMP version in use; the community name is public; the PDU type is Get; the MIB object is sysContact.

    2. Agent: authenticates the version and community name of the packet. When authentication succeeds, the agent encapsulates the queried sysContact value into the PDU of the response packet. Then the agent sends the response packet to the NMS. If the agent fails to obtain the sysContact value, the agent will send an incorrect response packet to the NMS.

  • GetNext

    The following assumes that the NMS wants to use the community name public to obtain the value of the object sysName (object next to sysContact) on the managed device. The procedure is as follows:
    1. NMS: sends a GetNext request packet to the agent. The fields of the packet are set as follows: The version is the SNMP version in use; the community name is public; the PDU type is GetNext; the MIB object is sysContact.

    2. Agent: authenticates the version and community name of the packet. When authentication succeeds, the agent encapsulates the queried sysName value into the PDU of the response packet. Then the agent sends the response packet to the NMS. If the agent fails to obtain the sysName value, the agent will send an incorrect response packet to the NMS.

  • Set

    The following assumes that the NMS wants to use the read-only community name private to set the value of the object sysName on the managed device to HUAWEI. The procedure is as follows:
    1. NMS: sends a SetRequest packet to the agent. The fields of the packet are set as follows: The version is the SNMP version in use; the community name is private; the PDU type is Set; the MIB object is sysContact; the target value is HUAWEI.

    2. Agent: authenticates the version and community name of the packet. When authentication succeeds, the agent sets an object mapping the requested management variable. If the setting succeeds, the agent sends a response packet to the NMS. If the setting fails, the agent will send an incorrect response packet to the NMS.

  • Trap

    Trap is a spontaneous behavior of a managed device. Traps do not belong to the basic operations performed by the NMS on the managed device. If a managed device meets the triggering condition for generating a trap, the agent notifies the NMS of the exception by sending a trap. For example, when a managed device is started in hot startup mode, the agent sends a warmStart trap to the NMS.

    The agent sends the trap to the management process only when a module on the device meets the triggering condition for generating a trap. This method reduces exchange traffic by sending traps only when major events occur.

Figure 14-5 shows the operations that are added in SNMPv2c.

Figure 14-5 New operations in SNMPv2c
  • GetBulk

    The GetBulk operation is equal to consecutively performed GetNext operations. You can set the number of times that the GetNext operations are performed during one GetBulk operation.

  • Inform

    A managed device notifies the NMS of an inform. After the managed device sends an inform, the NMS must send an InformResponse packet to the managed device. If the managed device does not receive the response packet, the managed device performs the following operations:
    1. Save the alarm in the inform buffer.
    2. Repeatedly send the alarm until the NMS returns the response packet or the number of times that the managed device sends alarms exceeds the allowed range.
    3. An alarm log is generated on the managed device.
    Therefore, the informs may occupy many system resources

SNMPv3

SNMPv3 Packet Format

SNMPv3 defines a new packet format shown in Figure 14-6.

Figure 14-6 SNMPv3 packet format

The following describes the composition of an SNMPv3 packet:

  • Version: SNMP version. The SNMPv3 packet field is 2.
  • Header: information such as the maximum message size supported by the transmitter, and security mode of messages.
  • Security parameters: security information including the entity engine information, user name, authentication parameter, and encryption information.
  • Context EgineID: SNMP ID. Together with the PDU type, it determines which application messages are to be sent.
  • Context Name: determines the Context EgineID MIB view of the managed device.
  • SNMPv3 PDU: includes the PDU type, request ID, and binding variable list. The SNMPv3 PDU includes GetRequest PDU, GetNextRequest PDU, SetRequest PDU, Response PDU, Trap PDU, GetBulkRequest PDU, and InformRequest PDU.
SNMPv3 Architecture

SNMPv3 uses the SNMPv3 entity for the communication between different SNMP-enabled NMSs. An SNMPv3 entity consists of SNMPv3 engines and applications, and each SNMPv3 engine or application has multiple modules.

The modular architecture of the SNMP entity has the following advantages:
  • Strong adaptability: This architecture is adaptable for both simple and complex networks.
  • Easy management: This architecture consists of multiple independent sub-systems and applications. When a fault occurs in the system. it is easy to locate the sub-system to which the fault belongs based on the fault type.
  • Excellent expandability: An SNMP system can be extended by increasing the number of modules on the SNMP entity. For example, a module can be added in the security sub-system for the application of a new security protocol.
SNMPv3 improves security by adopting the user security model (USM) and view-based access control model (VACM).
  • USM: authenticates user identity and encrypts data. These two functions require that the NMS and the agent use a shared key.

    • Identify authentication: a process in which the agent (or the NMS) confirms whether the received message is from an authorized NMS (or agent) and whether the message is changed during transmission. RFC 2104 defines Keyed-Hashing for Message Authentication Code (HMAC), an effective tool that uses the security hash function and key to generate the message authentication code. This tool is widely used in the Internet. HMAC used in SNMP contains HWAC-MD5-96 and HWAC-SHA-96. The hash function of HWAC-MD5-96 is MD5 that uses 128-bit authKey to generate the key. The hash function of HWAC-SHA-96 is SHA-1 that uses 160-bit authKey to generate the key.

    • Like identity authentication, data encryption also requires the network management station and the agent to use a shared key for encryption or decryption. ESP encrypts the IP packet contents to prevent them from being intercepted during transmission. Encryption algorithms are implemented by using a symmetric key system, which uses the same key to encrypt and decrypt data. SNMP uses the following encryption algorithms:

      • Data Encryption Standard (DES): encrypts a 64-bit plain text by using a 56-bit key.
      • Triple Data Encryption Standard (3DES): encrypts a plain text by using three 56-bit DES keys (a 168-bit key).
      • Advanced Encryption Standard (AES): encrypts a plain text by using a key of 128 bits, 192 bits, or 256 bits.
      NOTE:

      The preceding encryption algorithms are listed in ascending order of security. A more secure encryption algorithm requires more system resources, so the computing speed is slower. The DES algorithm is used when low security is required.

  • VACM: controls access of user groups or community names based on the view. You must pre-configure a view and specify its authority. Then, when you configure a user, user group, or community, load this view to implement read/write restriction or trap function.

SNMPv3 Mechanism

The mechanism of SNMPv3 is similar to those of SNMPv1 and SNMPv2c, but SNMPv3 supports identity authentication and encryption. The following describes the SNMPv3 mechanism by using the Get operation as an example.

The following assumes that the NMS wants to obtain the value of the object sysContact on the managed device in authentication and encryption mode, as shown in Figure 14-7.

Figure 14-7 Get operation of SNMPv3
  1. NMS: sends a GetRequest packet without security parameters to the agent and requests the values of Context EgineID, Context Name, and security parameter.

  2. Agent: responds to the request from the NMS by providing the requested parameters.

  3. NMS: sends a GetRequest packet to the agent. The packet fields are set as follows:
    • Version: SNMPv3.
    • Header: specifies authentication and encryption.
    • Security parameters: The NMS calculates the authentication and encryption parameters using the configured algorithm. These parameters and security parameters are filled in the corresponding fields.
    • PDU: Set corresponding fields using obtained Context EgineID and Context Name. The PDU type is set to Get, the MIB object is sysContact, and the configured encryption algorithm is used to encrypt the PDU.
  4. Agent: authenticates the messages. When authentication succeeds, the agent decrypts the PDU. When encryption succeeds, the agent obtains the value of sysContact and encapsulates it to the PDU in the response packet. The agent encrypts the PDU and sends the response packet to the NMS. If the query, authentication, or encryption fails, the agent will send an incorrect response packet to the NMS.

SNMPv3 User Group and User Name

A device running SNMPv3 connects to the NMS through user group and user name.

The user group and user name are configured in two ways:

  • Configure the user group and user name in the USM module of SNMP.
  • Use the AAA local user group and user name as the SNMPv3 user group and user name.
NOTE:

SNMPv3 supports authentication using authentication, authorization, and accounting (AAA) user names. The network administrator can use the AAA local user name in the SNMPv3, FTP, Telnet, and SSH features in order to manage the device by using a uniform user name.

fd_

Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 57156

Downloads: 3617

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next